cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

raspberrymatic-cert

Browse source
This commit is contained in:
mwiegand 2022-02-06 20:34:17 +01:00
parent c8565876db
commit 254af0c72b
13 changed files with 118 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
bundles/hostname/items.py
View file

@ -1,4 +1,4 @@
files['/etc/hostname'] = {
files[node.metadata.get('hostname_file')] = {
'content': node.metadata.get('hostname'),
'triggers': [
'action:update_hostname',
@ -6,6 +6,6 @@ files['/etc/hostname'] = {
}
actions["update_hostname"] = {
"command": "hostname -F /etc/hostname",
"command": f"hostname -F {node.metadata.get('hostname_file')}",
'triggered': True,
}

9
bundles/hostname/metadata.py
View file

@ -8,6 +8,15 @@ defaults = {
}
@metadata_reactor.provides(
'hostname_file',
)
def hostname_file(metadata):
return {
'hostname_file': node.metadata.get('hostname_file', '/etc/hostname'),
}
@metadata_reactor.provides(
'dns',
)

3
bundles/letsencrypt/files/hook.sh
View file

@ -43,6 +43,9 @@ deploy_cert() {
% for service in sorted(conf.get('reload', [])):
systemctl reload-or-restart ${service}
% endfor
% for service in sorted(conf.get('start', [])):
systemctl start ${service}
% endfor
;;
% endfor
esac

6
bundles/raspberrymatic-cert/files/raspberrymatic-cert Normal file
View file

@ -0,0 +1,6 @@
#!/bin/bash
cat /var/lib/dehydrated/certs/${domain}/privkey.pem /var/lib/dehydrated/certs/${domain}/cert.pem ${'\\'}
| ssh -o StrictHostKeyChecking=no root@${hostname} 'cat > /etc/config/server.pem' ${'\\'}
&& ssh -o StrictHostKeyChecking=no root@${hostname} 'chmod 600 /etc/config/server.pem' ${'\\'}
&& ssh -o StrictHostKeyChecking=no root@${hostname} '/etc/init.d/S50lighttpd reload' ${'\\'}

10
bundles/raspberrymatic-cert/items.py Normal file
View file

@ -0,0 +1,10 @@
files = {
'/opt/raspberrymatic-cert': {
'content_type': 'mako',
'mode': '500',
'context': {
'domain': node.metadata.get('raspberrymatic-cert/domain'),
'hostname': repo.get_node(node.metadata.get('raspberrymatic-cert/node')).metadata.get('hostname'),
}
}
}

32
bundles/raspberrymatic-cert/metadata.py Normal file
View file

@ -0,0 +1,32 @@
from shlex import quote
@metadata_reactor.provides(
'letsencrypt/domains',
)
def letsencrypt(metadata):
return {
'letsencrypt': {
'domains': {
metadata.get('raspberrymatic-cert/domain'): {
'start': ['raspberrymatic-cert'],
},
},
},
}
@metadata_reactor.provides(
'systemd-timers/raspberrymatic-cert',
)
def systemd_timers(metadata):
domain = metadata.get('raspberrymatic-cert/domain')
return {
'systemd-timers': {
'raspberrymatic-cert': {
'command': '/opt/raspberrymatic-cert',
'when': 'daily',
}
},
}

12
bundles/users/items.py
View file

@ -7,14 +7,16 @@ for name, config in node.metadata.get('users').items():
'group': config.get('home_group', name),
'mode': config.get('home_mode', '700'),
}
ssh_dir = config.get('ssh_dir', f"{config['home']}/.ssh")
directories[f"{config['home']}/.ssh"] = {
directories[ssh_dir] = {
'owner': config.get('home_owner', name),
'group': config.get('home_group', name),
'mode': '0700',
}
files[f"{config['home']}/.ssh/id_{config['keytype']}"] = {
files[f"{ssh_dir}/id_{config['keytype']}"] = {
'content': config['privkey'] + '\n',
'owner': name,
'mode': '0600',
@ -22,7 +24,7 @@ for name, config in node.metadata.get('users').items():
'ssh_users',
],
}
files[f"{config['home']}/.ssh/id_{config['keytype']}.pub"] = {
files[f"{ssh_dir}/id_{config['keytype']}.pub"] = {
'content': config['pubkey'] + '\n',
'owner': name,
'mode': '0600',
@ -30,7 +32,7 @@ for name, config in node.metadata.get('users').items():
'ssh_users',
],
}
files[config['home'] + '/.ssh/authorized_keys'] = {
files[f"{ssh_dir}/authorized_keys"] = {
'content': '\n'.join(sorted(config['authorized_keys'])) + '\n',
'owner': name,
'mode': '0600',
@ -40,5 +42,5 @@ for name, config in node.metadata.get('users').items():
}
users[name] = config
for option in ['authorized_keys', 'authorized_users', 'privkey', 'pubkey', 'keytype', 'home_owner', 'home_group', 'home_mode']:
for option in ['authorized_keys', 'authorized_users', 'privkey', 'pubkey', 'keytype', 'home_owner', 'home_group', 'home_mode', 'ssh_dir']:
users[name].pop(option, None)

3
groups/all.py
View file

@ -1,9 +1,7 @@
{
'bundles': [
'sudo',
'system',
'users',
'zsh',
],
'metadata': {
'dns': {},
@ -12,7 +10,6 @@
},
'users': {
'root': {
'shell': '/usr/bin/zsh',
'authorized_keys': {
'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEU1l2ijW3ZqzFGZcdWg2ESgTGehdNfBTfafxsjWvWdS mwiegand@macbook',
},

7
groups/os/linux.py
View file

@ -8,11 +8,13 @@
'locale',
'network',
'ssh',
'sudo',
'systemd',
'systemd-journald',
'systemd-networkd',
'systemd-mount',
'systemd-timers',
'zsh',
],
'metadata': {
'systemd-timers': {
@ -27,5 +29,10 @@
'secondary.resolver.name',
],
},
'users': {
'root': {
'shell': '/usr/bin/zsh',
},
},
},
}

21
groups/os/raspberrymatic.py Normal file
View file

@ -0,0 +1,21 @@
{
'supergroups': [
'all',
],
'bundles': [
'users',
],
'metadata': {
'users': {
'root': {
'password': None,
'shell': '/bin/sh',
'ssh_dir': '/usr/local/etc/ssh',
},
},
'hostname_file': '/var/etc/hostname',
},
'cmd_wrapper_outer': 'sh -c {}',
'cmd_wrapper_inner': '{}',
'lock_dir': '/tmp/bundlewrap',
}

17
nodes/home.homematic.py
View file

@ -1,7 +1,13 @@
{
'dummy': True,
'hostname': '10.0.2.8',
'groups': [
'raspberrymatic',
],
'bundles': [
'hostname',
],
'metadata': {
'id': '',
'id': 'cc1c08ba-8a2e-4cda-9b82-1b88a940e8e8',
'network': {
'internal': {
'ipv4': '10.0.2.8/24',
@ -12,5 +18,12 @@
'A': {'10.0.2.8'},
},
},
'users': {
'root': {
'authorized_users': {
'root@home.server',
},
},
},
},
}

5
nodes/home.server.py
View file

@ -24,6 +24,7 @@
'wireguard',
'zfs',
'crystal',
'raspberrymatic-cert',
'tasmota-charge',
],
'metadata': {
@ -86,6 +87,10 @@
'unsortable': 'SofortUpload/Unsortable',
},
},
'raspberrymatic-cert': {
'domain': 'homematic.ckn.li',
'node': 'home.homematic',
},
'tasmota-charge': {
'phone': {
'ip': '10.0.0.166',

2
requirements.txt
View file

@ -1,4 +1,4 @@
bundlewrap>=4.13.1
bundlewrap>=4.13.6
pycryptodome
PyNaCl
PyYAML